Select Page

My friend brought their Nintendo Switch to my place a few days ago and we realized my home network was too restrictive to allow it to do online play.  The home network runs a pfSense firewall/router, configured typically for the most part, but without UPnP & NAT-PMP service. Turns out, the Switch requires these in order to play many of the internet-enabled multiplayer games.  This post just documents the things I did to get it working while keeping in mind the security concerns with these services.

I personally don’t like UPnP and can get along without it, normally.  To start with, I tried a static IP and port forwarding a large range of ports but these changes didn’t seem to cut the mustard.  So I ended up enabling UPnP and NAT-PMP to stop the Switch from complaining.   Thankfully there are ACLs in pfSense for these services so I can control what members of the network can access the services.

The Steps:

1. Set a Static IP

Navigate to Services > DHCP Server and scroll to the bottom of the settings page to find the static mapping section.  Click “Add” and fill out the static map for your switch. You will need to copy the MAC Address from the network settings of your own Nintendo Switch! Mine looks like this:

DHCP Settings - Static IP Mapping for Nintendo Switch using MAC address.

2. Enable Hybrid NAT Rules

Navigate to Firewall > NAT > Outbound and select “Hybrid Outbound NAT rule generation.”  and save the settings change.  The screen should look like this:

Enable NAT Hybrid Rules in pfSense

3. Create Outbound NAT Rule

While still in Firewall > NAT > Outbound after saving the change above you should be able to add new mappings to the list.  Add a new rule to the bottom of the list using the second “Add” button.  My outbound mapping rule looks like this:

Create an Outbound NAT mapping in pfSense

4. Enable UPnP & NAT-PMP Services

Now navigate to  and enable the UPnP and NAT-PMP services, configuring the service to deny clients by default and only allow for the Nintendo Switch’ static IP and ports it might need.  My configurations look like this:

Enable UPnP and NAT-PMP in pfSense.

Enable Access Control List for UPnP and NAT-PMP in pfSense

5. Check & Apply Network Settings

At this point you might need to double check that your changes have applied correctly.  Your Nintendo Switch console has probably already been assigned an IP address by your previous DHCP settings, and this might require you clear the old DHCP lease info from pfSense and also to reset the console in order to get a new IP address.  Once your Nintendo Switch is using the static IP you’ve set up you should be good to go!